How does GDPR affect the rules for research?
The European General Data Protection Regulations (GDPR) has meant that researchers utilising big data across the EU member states have been subject to protection regulation. Researchers process big data, which assumes the form of an expansive data bank which can be analysed by researchers to reveal trends. The GDPR research exemption will not prevent big data from being used, but it will put in obstacles to ensure the use of this big data is ethical, and that researchers using this data can be held accountable for their processing through data protection. The GDPR focuses on the importance of making research ethical and fair, and therefore researchers need to be fully educated with the GDPR research exemption.
How GDPR will affect the Research Industry:
The research industry is essential to the economy, health service, scientific advancement and the political systems of the EU member states; therefore, GDPR ensures that the new regulations do allow researchers a degree of flexibility. The only stress is that this research must be conducted ethically and lawfully, through applying the new appropriate safeguards stated in the GDPR.
Therefore, it is essential for research organisations such as the NHS, Universities and the Biological Sciences Research Council, to be aware of how to comply with the GDPR.
Article 6 of the GDPR establishes the lawful basis needed for an organisation to process personal data. Once this has been demonstrated, a research agency needs to conduct a procedure to gain consent from a data subject, as no data can be used by a research agency without initial consent from a data subject.
The GDPR wants to ensure that consent from a data subject has been lawfully granted. Therefore, recital 33 allows a data subject to give a data controller their specific consent to scientific research, but only for a specified part of the scientific research being conducted.
The GDPR permits the process of re-purposing when it comes to data protection and research. This means that a data subject's personal data can be used again by the data controller, if the purpose is compatible with the initial purpose.
Recital 159 of the GDPR focuses upon protecting personal data and sensitive data, which is used for research. Recital 159 establishes a broad definition of research, such as fundamental research to privately funded research.
Recital 113 considers legitimate interest, which states that after a data controller has achieved initial consent from a data subject, the data controller can use the personal data again for a purpose which is related to the initial purpose. Legitimate interest has to be used appropriately, if the use of the personal data has the potential to infringe the data rights of the data subject, then the legitimate interest premise should not be used.
To ensure that the personal data and sensitive data used in research is protected, the GDPR demands that appropriate safeguards are implemented. Article 89 of the GDPR ensures that these safeguards deal with the issue of further processing. If a data controller further processes a data subject's information, but they no longer require the identification of the data subject, then the data controller is expected to destroy such identification.
Data minimisation means that the personal data handled by the research authorities, must only be used if it is needed. Furthermore, researchers can process personal data in order to make it anonymous, this should be done when possible.
Article 17 allows a data subject the right to be forgotten if they have offered their personal data to scientific research. Moreover, Article 21 allows a data subject the right to object to the use of their personal data in specific circumstances during scientific research. Therefore, these safeguards effectively protect the personal data of data subjects who have given their information to scientific research.
Data Breaches in the Research sector
If data protection is not upheld within research, then a data breach may occur. Consequently, the Information Commissioner's Office (ICO) will be responsible for administering the consequences, which can reach up to a monetary fine of €20 million or 4% of an organisation's global annual turnover, whichever is the higher total.
In April 2018, BSI, the British national standards body, found through their research that only 5% of European organisations were prepared for GDPR implementation. The lack of preparation back in April suggests that there will be an influx of work for the ICO, once the GDPR is fully implemented.
Therefore, if research organisations want to remain GDPR compliant, then they must undergo the correct training and education of GDPR regulations and safeguards.